[MAINT]: plugin crashes trying to create actions runner group

[jkruse14]

Describe the need

I am trying to create an actions runner group using a GitHub App Token with Org Admin write permission:

provider "github" {
  owner = var.organization
  app_auth {
    id = var.github_app_id
    installation_id = var.github_installation_id
    pem_file = base64decode(jsondecode(data.aws_secretsmanager_secret_version.github_app_private_key.secret_string)["privateKey"])
  }
}

data "github_repository" "terraform_aws_github_self_hosted_runners" {
  full_name = "my-repo"
}

resource "github_actions_runner_group" "team_groups" {
  name       = "DI_OPERATIONS"
  visibility = "selected"
  selected_repository_ids = [data.github_repository.terraform_aws_github_self_hosted_runners.repo_id]
}

This results in:

╷
│ Error: Plugin did not respond
│ 
│   with github_actions_runner_group.team_groups,
│   on main.tf line 128, in resource "github_actions_runner_group" "team_groups":
│  128: resource "github_actions_runner_group" "team_groups" {
│ 
│ The plugin encountered an error, and failed to respond to the
│ plugin.(*GRPCProvider).ApplyResourceChange call. The plugin logs may
│ contain more details.
╵

Stack trace from the terraform-provider-github_v5.18.3 plugin:

panic: interface conversion: interface {} is []interface {}, not []string

goroutine 31 [running]:
github.com/integrations/terraform-provider-github/v5/github.resourceGithubActionsRunnerGroupCreate(0x1086bc0?, {0xff4b60?, 0xc00028ad40})
	github.com/integrations/terraform-provider-github/v5/github/resource_github_actions_runner_group.go:103 +0x9ca
github.com/hashicorp/terraform-plugin-sdk/helper/schema.(*Resource).Apply(0xc0006fd220, 0xc00093bc70, 0xc000947020, {0xff4b60, 0xc00028ad40})
	github.com/hashicorp/terraform-plugin-sdk@v1.17.2/helper/schema/resource.go:320 +0x438
github.com/hashicorp/terraform-plugin-sdk/helper/schema.(*Provider).Apply(0xc00004aa00, 0xc0008938c8, 0x123e0ca?, 0xf?)
	github.com/hashicorp/terraform-plugin-sdk@v1.17.2/helper/schema/provider.go:294 +0x70
github.com/hashicorp/terraform-plugin-sdk/internal/helper/plugin.(*GRPCProviderServer).ApplyResourceChange(0xc00000ec30, {0xc00094ad20?, 0x4b8786?}, 0xc00094ad20)
	github.com/hashicorp/terraform-plugin-sdk@v1.17.2/internal/helper/plugin/grpc_provider.go:895 +0x7c5
github.com/hashicorp/terraform-plugin-sdk/internal/tfplugin5._Provider_ApplyResourceChange_Handler({0x11e7880?, 0xc00000ec30}, {0x1583180, 0xc0009639b0}, 0xc00094acb0, 0x0)
	github.com/hashicorp/terraform-plugin-sdk@v1.17.2/internal/tfplugin5/tfplugin5.pb.go:3305 +0x170
google.golang.org/grpc.(*Server).processUnaryRPC(0xc0000001e0, {0x1586d48, 0xc0002991e0}, 0xc0009667e0, 0xc000375050, 0x1d72c40, 0x0)
	google.golang.org/grpc@v1.50.1/server.go:1340 +0xd13
google.golang.org/grpc.(*Server).handleStream(0xc0000001e0, {0x1586d48, 0xc0002991e0}, 0xc0009667e0, 0x0)
	google.golang.org/grpc@v1.50.1/server.go:1713 +0xa1b
google.golang.org/grpc.(*Server).serveStreams.func1.2()
	google.golang.org/grpc@v1.50.1/server.go:965 +0x98
created by google.golang.org/grpc.(*Server).serveStreams.func1
	google.golang.org/grpc@v1.50.1/server.go:963 +0x28a

Error: The terraform-provider-github_v5.18.3 plugin crashed!

This is always indicative of a bug within the plugin. It would be immensely
helpful if you could report the crash with the plugin's maintainers so that it
can be fixed. The output above should help diagnose the issue.

Operation failed: failed running terraform apply (exit 1)
Error: Terraform exited with code 1.
Error: Process completed with exit code 1.

SDK Version

terraform-provider-github_v5.18.3

API Version

No response

Relevant log output

╷
│ Error: Plugin did not respond
│ 
│   with github_actions_runner_group.team_groups,
│   on main.tf line 128, in resource "github_actions_runner_group" "team_groups":
│  128: resource "github_actions_runner_group" "team_groups" {
│ 
│ The plugin encountered an error, and failed to respond to the
│ plugin.(*GRPCProvider).ApplyResourceChange call. The plugin logs may
│ contain more details.
╵

Stack trace from the terraform-provider-github_v5.18.3 plugin:

panic: interface conversion: interface {} is []interface {}, not []string

goroutine 31 [running]:
github.com/integrations/terraform-provider-github/v5/github.resourceGithubActionsRunnerGroupCreate(0x1086bc0?, {0xff4b60?, 0xc00028ad40})
	github.com/integrations/terraform-provider-github/v5/github/resource_github_actions_runner_group.go:103 +0x9ca
github.com/hashicorp/terraform-plugin-sdk/helper/schema.(*Resource).Apply(0xc0006fd220, 0xc00093bc70, 0xc000947020, {0xff4b60, 0xc00028ad40})
	github.com/hashicorp/terraform-plugin-sdk@v1.17.2/helper/schema/resource.go:320 +0x438
github.com/hashicorp/terraform-plugin-sdk/helper/schema.(*Provider).Apply(0xc00004aa00, 0xc0008938c8, 0x123e0ca?, 0xf?)
	github.com/hashicorp/terraform-plugin-sdk@v1.17.2/helper/schema/provider.go:294 +0x70
github.com/hashicorp/terraform-plugin-sdk/internal/helper/plugin.(*GRPCProviderServer).ApplyResourceChange(0xc00000ec30, {0xc00094ad20?, 0x4b8786?}, 0xc00094ad20)
	github.com/hashicorp/terraform-plugin-sdk@v1.17.2/internal/helper/plugin/grpc_provider.go:895 +0x7c5
github.com/hashicorp/terraform-plugin-sdk/internal/tfplugin5._Provider_ApplyResourceChange_Handler({0x11e7880?, 0xc00000ec30}, {0x1583180, 0xc0009639b0}, 0xc00094acb0, 0x0)
	github.com/hashicorp/terraform-plugin-sdk@v1.17.2/internal/tfplugin5/tfplugin5.pb.go:3305 +0x170
google.golang.org/grpc.(*Server).processUnaryRPC(0xc0000001e0, {0x1586d48, 0xc0002991e0}, 0xc0009667e0, 0xc000375050, 0x1d72c40, 0x0)
	google.golang.org/grpc@v1.50.1/server.go:1340 +0xd13
google.golang.org/grpc.(*Server).handleStream(0xc0000001e0, {0x1586d48, 0xc0002991e0}, 0xc0009667e0, 0x0)
	google.golang.org/grpc@v1.50.1/server.go:1713 +0xa1b
google.golang.org/grpc.(*Server).serveStreams.func1.2()
	google.golang.org/grpc@v1.50.1/server.go:965 +0x98
created by google.golang.org/grpc.(*Server).serveStreams.func1
	google.golang.org/grpc@v1.50.1/server.go:963 +0x28a

Error: The terraform-provider-github_v5.18.3 plugin crashed!

This is always indicative of a bug within the plugin. It would be immensely
helpful if you could report the crash with the plugin's maintainers so that it
can be fixed. The output above should help diagnose the issue.

Operation failed: failed running terraform apply (exit 1)
Error: Terraform exited with code 1.
Error: Process completed with exit code 1.

Code of Conduct

• I agree to follow this project's Code of Conduct

[michaelb38]

We are also facing this blocking issue with version 5.22.0 .

EDIT : after better analyze, the issue we face is in fact #1524 . As a temporary workaround, we had to downgrade to release 5.14.0

Stack trace from the terraform-provider-github_v5.22.0 plugin:

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x48 pc=0xf6586d]

goroutine 32 [running]:
github.com/integrations/terraform-provider-github/v5/github.resourceGithubActionsRunnerGroupRead(0xc0007ca8c0, {0x1049ee0?, 0xc000550980?})
	github.com/integrations/terraform-provider-github/v5/github/resource_github_actions_runner_group.go:210 +0x82d
github.com/hashicorp/terraform-plugin-sdk/helper/schema.(*Resource).RefreshWithoutUpgrade(0xc000549400, 0xc000892c80, {0x1049ee0, 0xc000550980})
	github.com/hashicorp/terraform-plugin-sdk@v1.17.2/helper/schema/resource.go:470 +0x1aa
github.com/hashicorp/terraform-plugin-sdk/internal/helper/plugin.(*GRPCProviderServer).ReadResource(0xc00000e998, {0xc000114960?, 0x4b8786?}, 0xc000114960)
	github.com/hashicorp/terraform-plugin-sdk@v1.17.2/internal/helper/plugin/grpc_provider.go:535 +0x34b
github.com/hashicorp/terraform-plugin-sdk/internal/tfplugin5._Provider_ReadResource_Handler({0x12437c0?, 0xc00000e998}, {0x15e9260, 0xc000a68ba0}, 0xc0007ca3f0, 0x0)
	github.com/hashicorp/terraform-plugin-sdk@v1.17.2/internal/tfplugin5/tfplugin5.pb.go:3269 +0x[170](https://github.enterprise.xxx/organization/repository/runs/903513?check_suite_focus=true#step:8:171)
google.golang.org/grpc.(*Server).processUnaryRPC(0xc0001ca000, {0x15ed128, 0xc000029380}, 0xc00056d7a0, 0xc0002056e0, 0x1e095d0, 0x0)
	google.golang.org/grpc@v1.50.1/server.go:1340 +0xd13
google.golang.org/grpc.(*Server).handleStream(0xc0001ca000, {0x15ed128, 0xc000029380}, 0xc00056d7a0, 0x0)
	google.golang.org/grpc@v1.50.1/server.go:[171](https://github.enterprise.xxx/organization/repository/runs/903513?check_suite_focus=true#step:8:172)3 +0xa1b
google.golang.org/grpc.(*Server).serveStreams.func1.2()
	google.golang.org/grpc@v1.50.1/server.go:965 +0x98
created by google.golang.org/grpc.(*Server).serveStreams.func1
	google.golang.org/grpc@v1.50.1/server.go:963 +0x28a

Error: The terraform-provider-github_v5.22.0 plugin crashed!

[kfcampbell]

Could you please provide a small reproductive example?

[jkruse14]

This should get you what you need.

provider "github" {
  owner = var.organization
  app_auth {
    id = var.github_app_id
    installation_id = var.github_installation_id
    pem_file = var.pem_file_content
  }
}

data "github_repository" "terraform_aws_github_self_hosted_runners" {
  full_name = var.repo_name
}

resource "github_actions_runner_group" "team_groups" {
  name       = var.runner_group_name
  visibility = "selected"
  selected_repository_ids = [data.github_repository.terraform_aws_github_self_hosted_runners.repo_id]
}

Can you confirm permissions needed by the GITHUB_TOKEN to create a runner group? Maybe I didn't set that correctly?

[kfcampbell]

Thank you. According to these docs, the required permissions scope is manage_runners:enterprise.

Regardless, it would be nice if the provider could handle these situations more gracefully.

[jkruse14]

Thank you. According to these docs, the required permissions scope is manage_runners:enterprise.

Regardless, it would be nice if the provider could handle these situations more gracefully.

What does that translate to in the permissions for the token on the runner set in the permissions block of the action yaml? The permissions I'm referring to can be found here

[kfcampbell]

The default token on the runner does not have enterprise scopes available. In order to manipulate enterprise-level resources, you'll need a personal access token or a GitHub App.

[jkruse14]

The default token on the runner does not have enterprise scopes available. In order to manipulate enterprise-level resources, you'll need a personal access token or a GitHub App.

But these runners are at the Org level

[kfcampbell]

Oh, my mistake. In that case, the required permissions are admin:org.

[jkruse14]

Perhaps I was thinking about this incorrectly. I'm using app_auth with the github terraform integration. The app has the following permissions:

Repositories:
Actions: read
meta-data: read

Organizations

• Administration: read and write
• Self-hosted runners: read and write
• Secrets: read

am I missing something here?

[jkruse14]

oh, i just saw that apps don't support all endpoints. It looks like runner groups is not supported, unless i missed it here

[kfcampbell]

Oh gosh, you're right, that's obnoxious. Perhaps we should document that in the provider as well in the hope of reducing confusion.

[jkruse14]

I've confirmed this works when using a fine grained access token!

[github-actions]

👋 Hey Friends, this issue has been automatically marked as stale because it has no recent activity. It will be closed if no further activity occurs. Please add the Status: Pinned label if you feel that this issue needs to remain open/active. Thank you for your contributions and help in keeping things tidy!